InfoSec & Cybersecurity Engineer I/II/III/IV - 015276

The InfoSec & Cybersecurity Engineer role develops, maintains and coordinates the company's information security activities in support of the company's information security program, 24/7/365. This position provides technical information security risk management and compliance services and support to company's lines of business and provides information security consulting and support to all levels of company's management in support of the information security program.

This position is responsible for the design, implementation, and operation of company-wide security infrastructures. The incumbent evaluates and proposes new security solutions and also advises and consults with the security manager and various levels of management regarding protection of computing resources and information assets.

Essential Responsibilities/Accountabilities:

All Levels:

Level I:

• Works under the direction of a more senior engineer.
• Delivers support for the Company's Information Security Framework and strives to improve maturity of the Information Security program in certain Framework domains.
• May respond to requests within defined SLAs relating to various information security systems, programs, and processes.
• Maintains risk management documentation to monitor lifecycle progress, track acceptance decisions and catalog remediation actions.
• Utilizes automated Governance, Risk and Compliance tools to track artifacts of the risk management lifecycle.
• Enforces information security policies, standards and procedures by administering, and monitoring security reports; and investigates possible security exceptions.
• Delivers information risk management services for new and existing Information Technology (IT) automation products and projects.
• Participates in rotation of 24/7 on call coverage.
• Assists in the execution of HIPAA, MAR, PCI, and COBIT compliance activities.
• Integrates security tools and appropriate controls into existing systems and applications.
• Collaborates with the Networking, Information Management and Web Development groups to ensure an appropriate level of security controls is "baked into" our infrastructure and applications.
• Consults with information systems owners to categorize systems; select, implement and assess controls; and frame, assess and monitor risk.
• Assists with integrating security tools and appropriate controls into new systems and applications.
• Assists in department self-audit, internal audit, external audit reviews, and risk assessments for EIT and for end user departments.
• Participates in IT security assessment of supplier (3rd party vendors and cloud services) and develops recommendations to improve security and mitigate security risks.
• Consistently demonstrates high standards of integrity by supporting the Lifetime Healthcare Companies' mission and values, adhering to the Corporate Code of Conduct, and leading to the Lifetime Way values and beliefs.
• Maintains high regard for member privacy in accordance with the corporate privacy policies and procedures.
• Regular and reliable attendance is expected and required.
• Performs other functions as assigned by management.

Level II (in addition to Level I essential responsibilities/accountabilities):

• Works independently, at times, to support the organization to deliver support for the Company's Information Security Framework.
• Keeps abreast of cyber threat landscape and evolving mitigation approaches and techniques.
• Performs as the Subject Matter Expert for at least one information security technology, processes and practices internally to Health Plan - including making recommendations relating to this technology.
• Provides technical expertise and support to security administrators on distributed systems security and implements automated solutions for security administration requests.
• Trains and provides technical support to Security Administrators and lower level InfoSec & Cybersecurity Engineers on distributed system and application security.
• Provides consultation and facilitation support services to Company and its subsidiaries in information security matters, compliance with the Company's information security policies and standards.
• Integrates security tools and appropriate controls into new systems and applications.
• Acts as a security consultant for Company's IT platforms, databases, middle-wares, and messaging systems (with oversight from a more senior engineer)
  
  Level III (in addition to Level II essential responsibilities/accountabilities):
• Works independently to support the organization to deliver support for the Company's Information Security Framework.
• Develops methodology to evaluate security technologies.
• Creates and implements security solutions that are compliant with Company's architectural standards.
• Works to mentor and train lower level staff.
  
  Level IV (in addition to Level III essential responsibilities/accountabilities):
• May act as Team Leader in management's absence.
• Performs as the Subject Matter Expert for more than two information security technologies, processes and practices internally to Health Plan, and externally in the industry as a whole.
  
  Minimum Qualifications:
  
  NOTE:
  
  We include multiple levels of classification differentiated by demonstrated knowledge, skills, and the ability to manage increasingly independent and/or complex assignments, broader responsibility, additional decision making, and in some cases, becoming a resource to others. In addition to using this differentiated approach to place new hires, it also provides guideposts for employee development and promotional opportunities.
  
  All Levels:
  
  Level I:
• Bachelor's degree in Computer Science, Information Technology and 2-3 years of experience or relevant field (or four additional years related work experience in lieu of bachelors).
• Related work experience (i.e. Co-op/Internships) preferred.
• Hands on experience with the following operating systems preferred: mainframe, Windows, and UNIX (Linux, AIX, Solaris, etc.).
• Demonstrated general scripting knowledge (i.e. BASH, Python, Perl, etc.)
• Basic knowledge of a minimum of one concept and/or tool listed below:
• Encryption
• PKI
• Network and application security, and related firewalls (Palo Alto Networks, Imperva, etc.)
• AD, LDAP and various authentication implementations.
• Virus detection and end point security (McAfee preferred)
• Vulnerability scanner and pen testing tools (e.g., Rapid 7, Nessus, Nexpose, Metasploit, Appscan, Burp suite, Ida Pro etc.)
• IDS/IPS and related tools
• SIEM and tools (e.g., ArcSight, Splunk, SolarWind LEM, QRadar, McAfee, etc.)
• Managing log sources, creating searches, and integrating apps.
• Maintaining detection mapping against the MITRE ATT&CK framework to identify and close gaps.
• Preparation and planning for security across a hybrid on-prem / multi-cloud environment.
• Common web application security vulnerabilities (e.g. OWASP top ten)
• Excellent verbal communications skills and concise written communication skills.
• Excellent organization and multi-tasking skills.
• Demonstrated ability to work both independently and as part of a team.
  
  Level II (in addition to Level I minimum qualifications):
• 3-5 years of experience, and basic knowledge of a minimum of two plus concepts and/or tools listed above.
• 2 years hands-on experience securing cloud applications and infrastructure (Azure strongly preferred).
• Demonstrated understanding and working knowledge of public cloud infrastructure and services.
• CISSP, CISA, CISM or other relevant security certification, or equivalent experience and knowledge required.
• Experience with security controls for operating systems, applications, and database management systems.
• Experience in evaluating security software packages.
• Experience with security automation, including associated reporting and notification.
• Knowledge of network regulations, industry standards and operational constraints of networks systems.
  
  Level III (in addition to Level II minimum qualifications):
• 5+ years of experience, and basic knowledge of a minimum of three plus concepts and/or tools listed above.
• Experience providing work direction for one or more individual's specific projects and initiatives.
• Experience providing guidance and mentorship to more junior team members.
• Knowledge of Security Frameworks and translating aspects into enhancing security postures.
  
  Level IV (in addition to Level III minimum qualifications):
• 7+ years of experience, and basic knowledge of a minimum of four plus concepts and/or tools listed above.
• Two years demonstrated expertise in at least three concentrations within information security technology.
• Experience with creating and managing security architecture.

Physical Requirements:

• Ability to travel across regions.
• Requires odd hours/weekend work.
  
  The Lifetime Healthcare Companies aims to attract the best talent from diverse socioeconomic, cultural and experiential backgrounds, to diversify our workforce and best reflect the communities we serve.
  
  Our mission is to foster an environment where diversity and inclusion are explicitly recognized as fundamental parts of our organizational culture. We believe that diversity of thought and background drives innovation which enables us to provide leading-edge healthcare insurance and services. With that mission in mind, we recruit the best candidates from all communities, to diversify and strengthen our workforce.
  
  OUR COMPANY CULTURE:
  
  Employees are united by our Lifetime Way Values & Behaviors that include compassion, pride, excellence, innovation and having fun! We aim to be an employer of choice by valuing workforce diversity, innovative thinking, employee development, and by offering competitive compensation and benefits.
  
  In support of the Americans with Disabilities Act, this job description lists only those responsibilities and qualifications deemed essential to the position.

In support of the Americans with Disabilities Act, this job description lists only those responsibilities and qualifications deemed essential to the position.

Equal Opportunity Employer

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor's legal duty to furnish information. 41 CFR 60-1.35(c)